CJU v HealthShare NSW

Case

[2021] NSWCATAD 372

15 December 2021

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: CJU v HealthShare NSW [2021] NSWCATAD 372
Hearing dates: 27 October 2021
Date of orders: 15 December 2021
Decision date: 15 December 2021
Jurisdiction:Administrative and Equal Opportunity Division
Before: A Christie, Senior Member
Decision:

(1)   The Respondent failed to comply with s 10 PPIP Act/IPP 3 by not taking reasonable steps, either before or as soon as practicable after the collection of the Applicant’s personal information, to notify the Applicant of the matters in ss 10 (a) to (f) PPIP Act.

(2)   The Respondent disclosed the Applicant’s personal information to SESLHD in a breach of s 18(1) PPIP Act/IPP 11 and neither the exception in s 18(1)(a) PPIP Act nor the exemption in s 27A PPIP Act are made out in relation to Conduct of Concern 2.

(3)   The Applicant is to file and serve submissions as to remedy by 21 January 2022.

(4)   The Respondent is to file and serve submissions as to remedy within 28 days after receipt of the Applicant’s submissions referred to in (3).

(5)   The Applicant may file and serve submissions in reply to the Respondent’s submissions as to remedy within 14 days after receipt of those submissions referred to in (4).

(6)   The matter is to be relisted for directions before Senior Member Christie as to remedies on 25 March 2022 at 10am.

Catchwords:

ADMISTRATIVE REVIEW – personal information - disclosure of personal information relating to an inquiry and complaint to one agency by that agency to another agency in contravention of s 18 (IPP 11) of the Privacy and Personal Information Act 1998 – requirements for the exception in s 18 (1)(a) and exemption in s 27A of the Privacy and Personal Information Act 1998 – contravention of s 10 (IPP 3) of the Privacy and Personal Information Act 1998

Legislation Cited:

Administrative Decisions Review Act 1997

Civil and Administrative Tribunal Act 2013

Privacy Act 1988 (Cth)

Privacy and Personal Information Protection Act 1998

Cases Cited:

AIN v Medical Council of New South Wales [2017] NSWCATAP 23

AOZ v Rail Corporation NSW [2014] NSWCATAP 76

BV v the Commissioner of Police (New South Wales) [2021] NSWCATAD 250

CDV v Illawarra Shoalhaven Local Health District [2016] NSWCATAD 302

CEU v University of Technology Sydney [2018] NSWCATAD 13

DED v Randwick City Council [2017] NSWCATAD 327

Department of Education and Training v GA (No 3) [2004] NSWADTAP 50

Department of Education and Training v ZR (No 2) [2009] NSWADTAP 44

DMW & DMX v NSW Rural Fire Service [2019] NSWCATAD 158

DMW and DMX v NSW Local Land Services [2019] NSWCATAD 128

Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409

EIG v North Sydney Council [2021] NSWCATAD 313

EMF v Cessnock City Council [2021] NSWCATAD 219

Insurance and Care NSW v EEH [2021] NSWCATAP 350

KT v Sydney Local Health Network [2011] NSWADT 171

Nasr v State of New South Wales (2007) NSWCA 101

Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4

ZR v Department of Education and Training (GD) [2010] NSWADTAP 75

Texts Cited:

Nil

Category:Principal judgment
Parties: CJU (Applicant)
HealthShare NSW (Respondent)
Representation: Solicitors:
Applicant (Self Represented)
Crown Solicitor (Respondent)
File Number(s): 2021/00077742
Publication restriction: Pursuant to s64 of the Civil and Administrative Tribunal Act 2013 the publication of the name of the applicant in these proceedings or reference to any information, picture or other material that identifies that person or is likely to lead to the identification of the person is prohibited.

REASONS FOR DECISION

  1. In these reasons for decision the name of the Applicant has been anonymised so as to preserve the privacy of their personal affairs. The Applicant is referred to as CJU. I have also limited my discussion of the evidence in order to avoid the possibility that the identity of the Applicant might be revealed.

  2. These proceedings concern the question of whether or not the Respondent breached the Privacy and Personal Information Protection Act 1998 (PPIP Act) by disclosing, without the Applicant’s knowledge or consent, the Applicant’s personal information to the South Eastern Sydney Local Health District (SESLHD) following an inquiry from and complaint by the Applicant to the Respondent, which disclosures the Applicant alleges were contrary to s 18 PPIP Act/Information Privacy Principle (IPP) 11.

  3. As Ordered by the Tribunal on 24 May 2021, these proceedings are only to determine the issue of liability. What remedies, if any, should be ordered will be the subject of further proceedings once the issue of liability has been determined.

Background

  1. The Applicant and the Respondent both provided an outline of the events and interactions leading to the Applicant’s request for internal review and I understand that the chronology of events and evidence as to the content of the email correspondence between the parties is not in dispute.

  2. On 11 June 2020 the Applicant sent an email to Ms Le Sage, a Senior Customer Relationship Officer with the Respondent. In summary and most relevantly, the Applicant stated in that email:

“1   I am an employee in NSW.

2   I am contacting you to ask for assistance to advise me if

Either,

-   there is any comments about me in the recruitment system? Who placed it?

Or

-   my name – in error – was placed in the Service Check Register for NSW Health?

I understand that according to NSW Policy that in such events staff should be advised in writing about that.

Can you please advise and confirm.”

  1. The Applicant followed up this 11 June 2020 email on 19 June 2020 and, shortly after receipt of the Applicant’s 19 June 2020 email, Ms Le Sage confirmed by email dated 19 June 2020 that she would look into the Applicant’s inquiries noting:

“Thank you for your inquiry and apologies for the delay, I am having this looked into for you and will respond as soon as possible.”

  1. After a further follow up email from the Applicant Ms Le Sage commenced initial inquiries within the Respondent, which included forwarding copies of the Applicant’s emails to other employees of the Respondent to obtain their assistance in dealing with the Applicant’s queries and confirmed to the Applicant in an email dated 26 June 2020 that she was:

“… asking a few questions to the recruitment team, if they are not able to provide a response I will seek HR assistance.”

  1. A little later on 26 June 2020 the Applicant replied via email “Thanks, much appreciated”. Ms Le Sage then sought and received advice from the Respondent’s Associate Director of Customer Engagement to the effect that the Applicant’s queries were properly matters for the HR team of SESLHD, not the Respondent. Ms Le Sage sent a further email to the Applicant on 26 June 2020 in which Ms Le Sage stated, in summary and most relevantly:

“I have just heard back and this is a question for your local HR department as we are unable to see those specific details from our end (Payroll).

Please let me know if you have any trouble getting hold of them and I will try and help where I can.”

  1. Later on 26 June 2020 the Applicant replied to Ms Le Sage’s 26 June 2020 email referred to in [8] above and changed the subject line of the email to “Confidential PID”. In that email the Applicant, in summary and most relevantly, stated as follows:

“1 – As per your email below, You had questions and you sent it to the recruitment TEAM, who did not want to answer or respond to you straightaway and avoided a response for long [time].

2 – and you indicated that you will seek HR assistance. What happened suddenly?

3 – Now Recruitment team distanced itself.

4 – You mentioned (as we are unable to see those specific details from our end (payroll)).

- Recruitment team you contacted is not the payroll.

Any system administrator in recruitment can see all the back end of the system and can see all this information and all the audit trail of my record. (Who accessed it, when, why, what changed).

5 – I believe if there is one staff locally acting inappropriately, I believe this would be lack of transparency by [the Respondent] and such practices by [the Respondent] would be protecting them and giving predators the opportunity to victimise staff more and more.

6 – and this would be denying staff rights as per NSW Health policy.

If this is the stand of [the Respondent] to protect and cover [up] then I just need to know that in writing.

Can you please advise.”

  1. On 29 June 2020 Ms Le Sage responded to the Applicant by email and informed the Applicant that, in summary and most relevantly:

“The recruitment team who I liaised with do not have access to the details you are requesting relating to the Service Check Register (SCR) therefore they were unable to help with the inquiry. I have since raised your matter with a manager within our records services department within [the Respondent] to see if they can help shed any further light.

Whilst we await a response from the above, I have contacted my key contact at South Eastern Sydney Local Health District Workforce and Human Resources to flag for review on a local level with your concerns of potential error in name on the SCR or potential inappropriate behaviour within the recruitment process.”

  1. After sending the email referred to in [10] above to the Applicant, and despite earlier referring to having already contacted her key contacts at SESLHD, Ms Le Sage then sent an email to two staff members at SESLHD regarding the Applicant’s queries on 29 June 2020. Ms Le Sage also forwarded the chain of emails between the Applicant and the Respondent up to that date, including the initial inquiry which included the Applicant’s name, date of birth, employee number and the fact and content of the request for assistance (i.e. the personal information of the Applicant).

  2. Less than two hours after the email referred to in paragraph [10] sent by Ms Le Sage to the Applicant, the Applicant responded by email, in summary and most relevantly, as follows:

“What is the point of me putting my email CONFIDENTIAL under PID?

1 – My email to you asking what happened to change your position. And distance recruitment and yourself?

And I put my concerns to you in writing about that they will not say the truth and hid the truth.

2 – I find it very disturbing, and alarming if I advised you about PID and the risks of victimisation and the chance that someone is acting inappropriately.

– And then you just contact them without asking me first and without putting the name of the staff you contacted [to me] and without cc me or asking me if this would be OK.

3 – What if you simply contacted the exact person or those who may did wrong.

4 – I believe that that is simply victimising anyone who tries to speak out in NSW Health.

6 – Can you please advise me about the record contact kept about me in [the Respondent’s] Recruitment, either comment or CSR and who placed them?

7 – You have no consent from me to talk or release any information about me to the local human resource.”

  1. On 30 June 2020 the Applicant emailed Ms Le Sage following up on the Applicant’s email on 29 June 2020 referred to in [12] above and, in summary and most relevantly, requested as follows:

“– And as I mentioned and I indicated in detail in my email to you yesterday and based on from point 1 to point 7, I do appreciate if I receive what I requested and as per the email below.

What is in my record where comments, alert, SCR or anything alike? and the audit trail.

– And no consent to contact human resources or external third parties.”

  1. On 1 July 2020 Ms Le Sage sent an email to the Applicant explaining, in summary and most relevantly, that:

“[In relation to the Service Check Register of New South Wales Policy Directive]

‘A staff member must be informed in writing of a decision to place the name on the SCR or a decision to maintain the name on the SCR following a finding of misconduct, along with information about their review rights and how their name may be removed, and advise that the SCR database is checked as part of the recruitment process. This should be done before the SCR record is created or before the SCR record is updated following a finding of misconduct at the time of informing the staff member of the decision to take administrative, remedial or disciplinary action.’

If you have not been notified and you have concerns around this or wish to view any details that may have been placed under your name within the Service Check Register you will need to contact your Local Health District Human Resources Department as [the Respondent] does not provide HR related services for the Health Agencies.”

  1. On 2 July 2020 the Applicant emailed a complaint to the Chief Executive of the Respondent setting out the Applicant’s concerns and complaints about the treatment the Applicant had received at the hands of Ms Le Sage of the Respondent and repeated the Applicant’s original request (in the Applicant’s 11 June 2020 email) that the Respondent answer if there were:

“… any comments or alarms, or notes or imply, or alert, or advise, or recommendations. In any shape or manner in my record?

7 – Is not [the Respondent] the custodian of the information kept in Recruitment System for NSW Health?

8 – Does [the Respondent] print posters claiming they will do what they said they will do to actually mean it? or they are for other reasons? I have many posters in front of me and [the Respondent] did not abide with any.”

  1. On 3 July 2020 the Acting Director of Customer Experience at the Respondent provided a formal response to the Applicant’s complaint of 2 July 2020 (referred to in [15] above), which response confirmed that the Respondent does not have access to the personnel records of the Applicant and that access to recruitment-related information must be facilitated by the person’s employer which, in this case, was SESLHD.

  2. On 25 December 2020 the Applicant applied to the Respondent for an internal review pursuant to s 53 PPIP Act in relation to certain conduct of concern, namely that by disclosing certain of the Applicant’s personal information to SESLHD on two separate occasions without the knowledge or consent of the Applicant the Respondent twice contravened the PPIP Act.

The internal review application

  1. The Applicant’s request for an internal review of alleged privacy breaches resulting from certain conduct of concern was sent to the Respondent by email dated 25 December 2020 (IR Request). In summary and most relevantly, the IR Request outlined the conduct of concern as follows:

  1. The Respondent breached the Applicant’s privacy and confidentiality without their knowledge or consent (Conduct of Concern 1) multiple times and also disclosed sensitive information and identity of a person making a PID (Public Interest Disclosure) and the Respondent knowingly and willingly identified the Applicant multiple times and placed them at serious risk in their employment which may have resulted in bullying of them.

  2. According to the Applicant’s email of 29 June 2020, the Applicant’s clear intention was that the inquiry and all communications were to be under Public Interest Disclosure and be treated as confidential. As far as the Applicant understood, reference to PID and confidentiality should prevent disclosure of the names and ensure the confidentiality of that correspondence, even if the Applicant did not ultimately submit under PID. That is, the ‘Confidential PID’ subject line should have protected the confidentiality of the Applicant’s personal information or, at least, alerted the Respondent to the Applicant’s expectation that it was not to be disclosed.

  3. The Applicant’s inquiry and subsequent emails to Ms Le Sage, the personal information contained in them and the fact the Applicant had made such an inquiry of the Respondent were forwarded (i.e. disclosed) to SESLHD without the Applicant’s knowledge or consent, even though it was evident in the Applicant’s emails that they were concerned about SESLHD and were at risk of and worried about being preyed on and victimised by SESLHD (Conduct of Concern 2).

  4. A second disclosure privacy breach was the disclosure of the Applicant’s personal information being the fact and contents of the Applicant’s complaint to the Chief Executive of the Respondent. Instead of investigating the complaint the Respondent passed on the Applicant’s personal information being the fact and details of the complaint to senior people at SESLHD (Conduct of Concern 3) who confronted the Applicant with it.

  5. The Applicant believes that the Respondent breached their privacy by disclosure at least two times, acted without their knowledge and subjected them to multiple risks and caused the Applicant damage and loss by wrongfully disclosing their personal information to SESLHD.

  1. The Respondent acknowledged receipt of the IR Request by an undated letter in which the Respondent states that the Respondent will complete the requested internal review by 22 February 2021.

Internal review decision

  1. On 12 March 2021, well after the Respondent’s notified date for completion of the internal review, the Applicant emailed the Chief Audit Executive of the Respondent, noted the passing of the Respondent’s deadline for completion of the internal review and asked why the Applicant had not yet received the internal review decision.

  2. Almost two months after the filing by the Applicant of an application for administrative review by this Tribunal on 19 March 2021 (AR Application), in a letter dated 7 May 2021 entitled “Re: Outcome of Your Application for Privacy Internal Review” Mr Noel Patterson, Review Officer of the Respondent, notified the Applicant of the outcome of the Respondent’s internal review (IR Decision). The IR Decision attached a copy of the Respondent’s “Report of Internal Review Under the PPIP Act 1998” (prepared by the Respondent) and a report entitled “Project Cedar: Internal review of potential privacy breaches” dated 19 April 2021 issued by Deloitte Touche Tohmatsu (Sydney office) (Deloitte) which attached the redacted exhibits referred to in the Deloitte report.

  3. The IR Decision (including in the reports referred to in [21] above) states, most relevantly and in summary, that:

  1. The Applicant’s information related to the identity of the individual who submitted the ‘complaint’ (i.e. the inquiry) is personal information as defined under the PPIP Act and this information included the Applicant’s name, email address and date of birth.

  2. Deloitte were unable to confirm that the Applicant had reported a PID in accordance with the NSW Health PID Policy Directive and therefore whether the information in question would be considered to be confidential information because of being a submitted PID.

  3. The conduct of concern relevant to the IR Request was that the Respondent’s staff:

  1. provided the Applicant’s identity to SESLHD; and

  2. provided the Applicant’s complaint to SESLHD (i.e. Conduct of Concern 2).

  1. The IR Decision addressed the alleged breach of s 18 PPIP Act/IPP 11 relating to Conduct of Concern 2, but not Conduct of Concern 3. The Deloitte report found, in summary and most relevantly, as regards Conduct of Concern 1 and Conduct of Concern 2 that:

  1. s10 PPIP Act requiring the Respondent to take reasonable steps to make the Applicant aware of certain matters was not breached as the personal information of the Applicant was not requested by the Respondent but provided voluntarily and the Applicant was (subsequent to the receipt of the information by the Respondent) made aware of the intended recipients of the information by Ms Le Sage;

  2. the disclosure was directly related to the purpose for which the information was collected and, pursuant to s 18(1)(a) PPIP Act, Ms Le Sage had no reason to believe that the Applicant would object to the disclosure;

  3. pursuant to s 18(1)(b) PPIP Act the Applicant was reasonably likely to have been aware, and was ultimately made aware by Ms Le Sage, that the personal information provided by the Applicant would be disclosed to other persons or bodies in order for Ms Le Sage to respond to the Applicant’s inquiries; and

  1. as a result of (a) to (c) above, the Deloitte report and thus the IR Decision concluded that there was no breach of the Applicant’s privacy by the Respondent not taking reasonable steps to make the Applicant aware of matters in s 10 PPIP Act/IPP 3 (i.e. Conduct of Concern 1) or which occurred by Ms Le Sage disclosing to SESLHD the Applicant’s personal information relating to the inquiry originally made by the Applicant (i.e. Conduct of Concern 2).

  1. The conduct of concern in relation to the Applicant’s complaint to the Chief Executive of the Respondent (i.e. Conduct of Concern 3) is not addressed in the Deloitte report (or anywhere in the IR Decision) which is limited to Conduct of Concern 1, internal disclosures within the Respondent (which are not an issue in these proceedings) and the disclosure of the Applicant’s personal information by Ms Le Sage to the SESLHD (i.e. Conduct of Concern 2).

The Administrative Review application

  1. As noted above, on 19 March 2021 (i.e. prior to receipt of the IR Decision on 7 May 2021) the Applicant filed the AR Application on the basis that no internal review decision had been provided by the Respondent within 60 days of the IR Request. The AR Application attached the IR Request and referred to Conduct of Concern 1, Conduct of Concern 2 and Conduct of Concern 3.

Scope of administrative review proceedings under the PPIP Act

  1. It is not in dispute that the Tribunal has jurisdiction to determine this matter pursuant to s55 PPIP Act, s30 Civil and Administrative Tribunal Act 2013 (CAT Act) and s63 Administrative Decisions Review Act 1997 (ADR Act).

  2. The scope of the request for internal review (i.e. the IR Request in this case) sets the scope of the AR Application (in this case) and thus the extent of the external review before the Tribunal. The scope of the IR Request (i.e. the ‘conduct of concern’ to be considered) is a matter of fact to be determined by objectively and reasonably construing the IR Request.

  3. Several decisions of the Appeal Panel have set out of some fundamental principles that govern the scope of a review of an agency's conduct under the PPIP Act by this Tribunal. In an application for administrative review of an agency’s conduct under s55(1) PPIP Act (i.e. the AR Application in this case), the Tribunal is limited to reviewing the conduct of concern the subject of the original application for the internal review (i.e. in this case the IR Request). The Tribunal does not have jurisdiction to review conduct of the agency allegedly breaching the IPPs that was not the subject of the application for internal review to the agency: Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 at [7]; Department of Education and Training v ZR (No 2) [2009] NSWADTAP 44 at [17]; and CEU v University of Technology Sydney [2018] NSWCATAD 13 at [76].

  4. As noted in [18] above, the IR Request is stated to be in relation to Conduct of Concern 1, Conduct of Concern 2 and Conduct of Concern 3 and the alleged resulting breaches of the PPIP Act. That is, in summary and most relevantly, the conduct of concern the subject of review before the Tribunal in these proceedings is:

  1. the failure of the Respondent to take reasonable steps to make the Applicant aware of the matters specified in s 10 PPIP Act /IPP 3 before or as soon as practicable after the collection of the Applicant’s personal information (i.e. Conduct of Concern 1);

  2. the disclosure by Ms Le Sage in her email dated 29 June 2020 of the personal information of the Applicant (i.e. the fact of the Applicant’s inquiry and the contents of the email chain between the Respondent and the Applicant and the Applicant’s original details including in and related to the Applicant’s inquiry email dated 11 June 2020) to the SESLHD (i.e. Conduct of Concern 2); and

  3. the disclosure of the Applicant’s personal information included in and related to (including the fact of) the Applicant’s complaint to the Respondent’s Chief Executive dated 2 July 2020 to the SESLHD (i.e. Conduct of Concern 3).

  1. The Tribunal’s role is to review the conduct of concern in issue (in this case Conduct of Concern 1, Conduct of Concern 2 and Conduct of Concern 3) and to consider what action(s), if any, should be taken by the agency (i.e. the Respondent in this case), it is not to review the findings of the internal review report (i.e. the IR Decision in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [50]. The Tribunal considers the conduct of concern afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and KT v Sydney Local Health Network [2011] NSWADT 171.

  2. Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed by the ADR Act or enabling legislation in connection with the conduct or resolution of the proceedings. By s63(2) ADR Act the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the relevant decision (i.e. in this case the person making the IR Decision, even though the IR Decision findings are not the subject of the review by the Tribunal).

Applicable Legislation

  1. ‘Personal information’ is defined by s 4(1) PPIP Act as:

“personal information” means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

  1. Section 4(5) PPIP Act provides a clarification as regards the collection of personal information by agencies as follows:

(5)  For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.

  1. As noted in AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [112], the definition of ‘personal information’ in the PPIP Act is broad and is to be interpreted broadly.

  2. The Full Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 found at [63], in applying the then very similar definition of ‘personal information’ in the Privacy Act 1988 (Cth), that:

The words ‘about an individual’ direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not ‘about an individual’ it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

  1. The various IPPs are set out in Part 2 of the PPIP Act (ss 8-19) which, most relevantly in this case, includes IPPs 3 and 11 in relation to the disclosure of personal information.

  2. IPP 3 (s 10 PPIP Act) requires:

10   Requirements when collecting personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following—

(a)  the fact that the information is being collected,

(b)  the purposes for which the information is being collected,

(c)  the intended recipients of the information,

(d)  whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,

(e)  the existence of any right of access to, and correction of, the information,

(f)  the name and address of the agency that is collecting the information and the agency that is to hold the information.

  1. IPP 11 (s 18 PPIP Act) provides that an agency must not disclose personal information to other than the individual to whom the information relates (i.e. the Applicant in this case) unless, in summary:

  1. the disclosure is directly related to the purpose for which it was collected and there is no reason to believe the individual concerned would object (s 18(1)(a) PPIP Act);

  2. the individual is reasonably likely to have been made aware that such information is usually disclosed to that other person (s 18(1)(b) PPIP Act); or

  3. the agency believes on reasonable grounds that disclosure is necessary to prevent or lessen a serious or imminent threat to life or health of any person (s 18(1)(c) PPIP Act).

  1. In the context of IPP 11 the ‘essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know’ (Nasr v State of New South Wales (2007) NSWCA 101 at [127]).

  2. Section 27A of the PPIP Act provides that, in certain specified circumstances, public sector agencies may be exempted from certain of the IPPs relating to the collection, use or disclosure of personal information exchanged by those agencies. Section 27A provides:

27A Exemptions relating to information exchanges between public sector agencies

A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:

(a) the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and

(b) the collection, use or disclosure of the information is reasonably necessary:

(i) to allow any of the agencies concerned to deal with, or respond to, correspondence from a Minister or member of Parliament, or

(ii) to enable inquiries to be referred between the agencies concerned, or

(iii) to enable the auditing of the accounts or performance of a public sector agency or group of public sector agencies (or a program administered by an agency or group of agencies).

The Hearing

  1. The hearing took place by telephone on 27 October 2021 (Hearing).

  2. In addition to the oral submissions presented to me by both parties at the Hearing, the following written submissions and evidence were submitted by the parties for consideration by the Tribunal:

Applicant

  1. The Applicant’s Submissions and attached documents dated 1 August 2021 (Applicant Submission).

  2. The Applicant’s Submissions in Reply and attached documents dated 19 October 2021 (Reply Submissions).

  3. The Administrative Review application dated 19 March 2021.

Respondent

  1. The Section 58 Administrative Decisions Review Act bundle of documents submitted on 9 June 2021.

  2. Affidavit of Ms Shaye Le Sage dated 2 September 2021 (Le Sage Affidavit).

  3. Submissions of the Respondent dated 2 September 2021 (Respondent Submissions).

  4. Bundle of authorities dated 15 September 2021.

  5. Affidavit of Mr Andrew Bell dated 26 October 2021 (Bell Affidavit).

The issues for determination

  1. From the IR Request, AR Application and the submissions of the parties, the issues to be determined by the Tribunal are:

  1. As a preliminary issue, whether Conduct of Concern 3 has been adequately addressed and, if not, what should be done by this Tribunal in respect of Conduct of Concern 3?

  2. What is the relevant personal information of the Applicant the subject of the Conduct of Concern 1, Conduct of Concern 2 and the Conduct of Concern 3.

  3. In respect of Conduct of Concern 1 whether, in the circumstances:

  1. the Respondent had an obligation to take reasonable steps to make the Applicant aware of the matters specified in s 10 PPIP Act; and

  2. if yes to (a), Conduct of Concern 1 was contrary to s 10 PPIP Act/IPP 3.

  1. In respect of Conduct of Concern 2 whether, in the circumstances, such was:

  1. contrary to s 18 PPIP Act/IPP 11; and/or

  2. exempted (i.e. therefore the disclosure is excused) under s 27A(b)(ii) PPIP Act.

  1. As noted at [3] above, the Hearing was and these Reasons for Decision are limited to the issue of liability (i.e. whether any breaches of the IPPs/PPIP Act occurred) and do not consider or determine the remedies (if any) to be ordered as a result of the findings of the Tribunal as to liability.

The Applicant’s submissions and evidence

  1. The Applicant’s evidence (i.e. the email exchanges) attached to the Applicant Submissions and Reply Submissions is mainly as summarised in [4] to [17] above.

  2. In addition to the evidence detailed in [4] to [17] above, the Applicant submitted in the Applicant Submissions, Reply Submissions and orally at the Hearing, in summary and most relevantly, as follows:

  1. The Respondent disclosed the Applicant’s personal information (including the fact and nature of (a) the inquiry in Conduct of Concern 2 and (b) the complaint to the Chief Executive of the Respondent in Conduct of Concern 3 without the Applicant’s knowledge or consent, including without informing the Applicant of the required matters in IPP 3.

  2. The references in Ms Le Sage’s emails to “Recruitment and HR” were understood by the Applicant to be references to the Respondent’s “Recruitment and HR” department or function as is indicated on the Respondent’s ‘org chart’ (under the “Workforce” division of the Respondent) which is attached to the Applicant Submission.

  3. There was no specific reference to the Recruitment or HR functions being at SESLHD until after the Respondent had informed the Applicant that it had reached out to the HR function at SESLHD. That is, for the bulk of the communications between the Applicant and the Respondent there was no indication that either “HR” or “Recruitment” were anything other than the internal functions of the Respondent.

  4. When informing the Applicant that the Respondent did not have the relevant information the Respondent suggested the Applicant contact SESLHD and indicated that, if the Applicant had any trouble in finding out the information from SESLHD, the Respondent may be able to assist at that time.

  5. Prior to the Respondent’s unilateral decision to reach out to SESLHD and forward the Applicant’s personal information to them, the Applicant changed the subject line in the Applicant’s emails to state “Confidential PID” and clearly noted in the contents of that email the Applicant’s concern with disclosing their information to SESLHD. Both the reference to “Confidential PID’ and the contents of the email should have alerted the Respondent, whether or not a PID had actually been submitted, to (a) the confidentiality of that and the prior email chain between the Applicant and the Respondent in relation to this matter (i.e. the Applicant’s personal information) and (b) that the Applicant would object to disclosure of their personal information to SESLHD.

  6. As regards “Privacy Breach number 2” (i.e. Conduct of Concern 3), the Respondent passed on (i.e. disclosed) to SESLHD details of (i.e. the Applicant’s personal information in relation to) the complaint made by the Applicant to the Chief Executive of the Respondent on 2 July 2020, which information was then referred to and used against the Applicant by SESLHD.

The Respondent’s submissions and evidence

  1. The Respondent’s submissions from the Respondent Submissions and made orally during the Hearing in relation to the scope of the review by the Tribunal and the personal information of the Applicant in question are, in summary and most relevantly, as follows:

  1. The Applicant’s material refers to two privacy complaints, the second being an alleged breach of privacy committed by Ms Carmen Rechbauer (the CEO of the Respondent) for failing to deal with the Applicant’s privacy complaint properly. There is no arguable breach of privacy legislation in relation to this second alleged privacy breach (i.e. Conduct of Concern 3) as Ms Rechbauer is merely the addressee of the Applicant’s complaint.

  2. The Tribunal lacks jurisdiction to consider the Conduct of Concern 3 issue (i.e. the second alleged breach of privacy) as the internal review application (i.e. IR Request) identifies no privacy issue relating to Ms Rechbauer.

  3. As a result of (1) and (2) above, the Respondent’s submissions address only the privacy complaint concerning the disclosure of the Applicant’s personal information by Ms Le Sage to the SESLHD (i.e. Conduct of Concern 2).

  4. The Applicant likely obtained Ms Le Sage’s email address from the Respondent’s “customer-facing” intranet page pertaining to inquiries and an escalation process for inquiries.

  5. The “personal information” the subject of the IR Request and these proceedings is:

  1. that the Applicant is concerned about an error or notation on the SCR or comments in the recruitment system about the Applicant; and

  2. the Applicant’s email address, employee ID number and contact details.

  1. As the Applicant’s employer the SESLHD, through its HR Team, already held the relevant information noted in (5)(b) above so there can be no “disclosure” of that information to the SESLHD by the Respondent.

  2. In relation to the information noted in (5)(a) above, correspondence from the Applicant suggests that this information (i.e. a similar request/enquiry) may also have been disclosed to the SESLHD by way of an inquiry made by the Applicant of SESLHD. That is, the Applicant’s correspondence with the Respondent suggested that they may have made a similar inquiry to SESLD and the Applicant did not respond to requests from the Respondent for further information in respect of this issue. The Applicant therefore must establish that ‘new information’ was transferred to SESLHD by the Respondent.

  3. The “essence of disclosure of information is making it known to a person information that the person to whom the disclosure is made did not previously know” citing NASR v NSW [2007] NSWCA 101 at [127, 132].

  4. The Respondent accepts that a transfer, for the first time, of information from the Respondent to the SESLHD would amount to “disclosure” for the purposes of s 18 PPIP Act because the Respondent and SESLHD are separate entities.

  1. In relation to s 18 PPIP Act/IPP 11, the Respondent submitted in the Respondent Submissions and orally at the Hearing, in summary and most relevantly, that:

  1. Section 18(1)(a) PPIP Act is relied on by the Respondent and provides an exemption from the principle that a “public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body” on the basis that “the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information [i.e. the Respondent in this case] has no reason to believe that the individual concerned would object to the disclosure”.

  2. There must be a direct relationship between the purpose of disclosure and the purpose for which the information is originally provided, which includes disclosures that further that purpose. Citing BV v the Commissioner of Police (New South Wales) [2021] NSWCATAD 250 the Respondent submits that the communication by Ms Le Sage to the SESLHD was “very closely related” to the original purpose for collecting the information from the Applicant. That purpose for collection was to assist the Applicant to resolve the issues about potential errors in a human resources database about the Applicant. For precisely that purpose Ms Le Sage contacted the SESLHD and connected promptly with the person at SESLHD who could assist (being an officer with authority at the SESLHD in relation to the SCR).

  3. Citing DMW andDMX v NSW Local Land Services [2019] NSWCATAD 128 (DMW & DMX Land Services) and noting this related to “directly analogous circumstances to the current case” the Respondent submitted that the Respondent had no reason to believe the Applicant would object to the disclosure to SESLHD.

  1. The Respondent also submitted that the Respondent assisted the Applicant by contacting SESLHD, of which possibility the Applicant had been advised in advance by Ms Le Sage in the email correspondence. While the Applicant may have had an unexpressed preference for Ms Le Sage and the Respondent not to contact the SESLHD, the question is whether the Respondent had reason to expect that the Applicant would object to the disclosure to the SESLHD. In these circumstances, there was no reason for the Respondent to think that the Applicant would object to the disclosure and, accordingly, s 18(1)(a) therefore applies to permit the disclosure to SESLHD.

  1. In the alternative, the Respondent submitted orally at the Hearing and in the Respondent Submissions that it was exempted from compliance with s 18 PPIP Act by s 27A PPIP Act as the SESLHD and the Respondent are public sector agencies and the Conduct of Concern 2 disclosure of the Applicant’s personal information (if established) was reasonably necessary to enable inquiries to be referred between those agencies. In support of this submission the Respondent cited DMW & DMX v NSW Rural Fire Service [2019] NSWCATAD 158 (DMW & DMX Fire Service) which it submitted is “directly analogous”.

  2. The Respondent submitted that, just like in DMW & DMX Fire Service, the Respondent contacted an external agency (i.e. SESLHD) for the purpose of assisting the Applicant with their inquiry.

  3. In the Le Sage Affidavit, in addition to setting out the chronology and the evidence detailed in [4] to [17] above, Ms Le Sage states in summary and most relevantly that:

  1. She works in the ‘Customer Engagement’ directorate of the Respondent and her role is to assist customers with their inquiries in the payroll services area. Her (and the Customer Service Department’s) details are available in at least two places online dealing with where and how to make inquiries of the Respondent.

  2. She understood the comment in the Applicant’s email dated 26 June 2020 (see [9] above) “and you indicated you will seek HR assistance. What happened Suddenly” to ask why Ms Le Sage had not contacted the SESLHD HR as she had previously suggested would need to happen and which she had offered to do.

  3. She is not a lawyer and did not understand the reference to “Public Interest (PID)”. On 29 June 2020 she sent an email to SESLHD and also forwarded the email thread with the Applicant to SESLHD. At the time she believed that the Applicant would have no issue with her contacting the SESLHD.

  4. From her experience in her role, she understood that the people she contacted in the SESLHD to be trusted and well-respected. She did not doubt that they would deal with inquiry confidentiality and professionally, as it was a human resources matter.

  1. In the Bell Affidavit Mr Bell attaches correspondence with the Applicant dated 2 September 2021, 10 September 2021, 13 September 2021, 21 September 2021 and 22 October 2021 requesting (and then following up on the 2 September 2021 request) for information about correspondence between the Applicant and SESLHD relating to paragraphs [29] to [34] of the Respondent Submissions. Mr Bell noted that, if such was not forthcoming, the Respondent would seek a summons issued on SESLHD to obtain such correspondence to determine the issue. That is, about the issue raised by the Respondent about the potential prior disclosure of the relevant personal information (see [44(5)(a)] above) by the Applicant to SESLHD.

Consideration and findings

Preliminary issue

  1. Conduct of Concern 3 was not addressed in the IR Decision and only briefly dealt with in the Respondent Submissions (see [44(3)] above) before being dismissed by the Respondent based on its submission that the Tribunal lacks jurisdiction to consider Conduct of Concern 3 as the internal review application (i.e. IR Request) identified no privacy issue relating to the Chief Executive of the Respondent.

  2. Also, while submissions were made by the Applicant in respect of the Conduct of Concern 3 in the Applicant Submissions and orally at the Hearing, no evidence was presented by the Applicant to establish that Conduct of Concern 3 had occurred.

  3. As noted in [18] above, the IR Request did identify Conduct of Concern 3 as part of the conduct of concern, the consideration of which is therefore within the scope of the administrative review by this Tribunal in these proceedings and which should have been considered and addressed in the IR Decision.

  4. While Conduct of Concern 3 may not be, in the Respondent’s words, a “privacy issue” relating to Ms Rechbauer as Chief Executive of the Respondent, it is clearly conduct of concern of the Respondent (not necessarily by the Chief Executive) raised by the Applicant as allegedly disclosing to SESLHD the fact (and contents) of a complaint by the Applicant to the Chief Executive of the Respondent.

  5. Based on my comments in [50] and [51] above, I find that I am unable to make a determination on the issue of liability in respect of Conduct of Concern 3 due to the lack of evidence and submissions on this issue before the Tribunal.

  6. While I appreciate that these proceedings and Reasons for Decision are not addressing remedies, I feel it important to foreshadow the Tribunal’s current thinking in relation to dealing with Conduct of Concern 3 based on my finding in [55] above. That is, that Conduct of Concern 3 could be remitted to the Respondent to undertake an appropriate internal review of this conduct of concern, making appropriate investigations into the Applicant’s allegations in relation to that conduct of concern and issue an internal review decision in respect of such.

What is the Applicant’s personal information subject to these proceedings?

  1. The Respondent submitted that the personal information of the Applicant which is the subject of these proceedings is (a) the Applicant’s email address, employee ID number and contact details (already known to SESLHD) and (b) that the Applicant is concerned about an error or notation on the SCR or comments in the system about the Applicant (see [44(5)(a)] above). In the case of (b), a concern about an error or notation on the SCR or comments in the recruitment system, the Respondent submitted (although it did not pursue a summons to obtain the relevant evidence to establish) that the Applicant “may” have also made that inquiry to SESLHD. Therefore, in both cases (that is, (a) and (b) above) SESLHD would have known the personal information already and thus provision of it to SESLHD by the Respondent would not be a disclosure.

  2. However, the Respondent’s submissions summarised in [57] above ignores a fundamental aspect of what constitutes the personal information of the Applicant in this case. The Applicant’s email address, employee ID number and contact details (Employee Details) are clearly known by SESLHD and possibly, although not established by the Respondent, SESLHD may have known about the content or nature of the Applicant’s inquiry in Conduct of Concern 2 (a concern about errors on the SCR or comments in the recruitment system about the Applicant) from a similar inquiry made to SESLHD (Inquiry Contents). If so, the provision to SESLHD of the Employee Details and the Inquiry Contents alone by the Respondent may not constitute a disclosure for the purposes of IPP 11. However, the personal information of the Applicant in this case is not limited to the Employee Details and the Inquiry Contents but includes (a) the fact that the Applicant made the inquiry to the Respondent, (b) the contents of and statements made about SESLHD in the Conduct of Concern 2 email correspondence and (c) in the case of the Conduct of Concern 3, the fact that the Applicant made a complaint to the Chief Executive of the Respondent and the content of that complaint.

  3. Even if the Applicant had already made the Inquiry Contents known to SESLHD, by making a similar inquiry, the personal information of the Applicant which has been disclosed in this case included the fact that the Applicant made such an inquiry to the Respondent as well as the content of the chain of emails relating to such inquiry. Also, the fact that the Applicant had complained to the Chief Executive of the Respondent (as well as the content of such complaint) is, in this case, the personal information of the Applicant and the subject of these proceedings (i.e. Conduct of Concern 3).

  4. Given my finding above at [55] I will, for the remainder of these Reasons for Decision, confine my consideration of the issue of liability in relation to Conduct of Concern 1 and Conduct of Concern 2.

Was there a breach of IPP 3/s 10 PPIP Act?

  1. The position of the Respondent as detailed in the IR Decision (see [22](4)(a) above) and its submissions is that, as the inquiry and personal information subsequently provided to the Respondent by the Applicant was not requested by the Respondent, the relevant personal information is not ‘collected’ by the Respondent pursuant to s 4(5) PPIP Act. In such a case, if not collected by the Respondent, IPP 3/s 10 PPIP Act does not apply to the Applicant’s personal information the subject of these proceedings. However, as the Tribunal stated in EIG v North Sydney Council [2021] NSWCATAD 313 (but in this case reading the below substituting ‘inquiry/ies’ for ‘complaint/s’):

41 As regards the Respondent’s submission that s 17 PPIP Act/IPP 10 does not apply because the Personal Information was unsolicited, I note the Tribunal’s findings in EMF v Cessnock City Council [2021] NSWCATAD 219 (EMF):

45 As regards [32(2)], I have followed the reasoning in the Appeal Panel decision in ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 (ZR) which held, in particular at [58]:

“As to the text authored by the complainant in relation to the matter of concern, we are inclined to the view that, insofar as the information provided is relevant to the purposes of the agency, it ought be regarded as collected, and not treated as unsolicited. It is not, as we see it, a mere instance of passive receipt. This is a situation where the practice of the agency is to get the complaint in writing and create a record. It is requesting the information to that extent.”

46 Also the IPC has warned agencies, in its “A Guide to the Information Protection Principles”, against treating complaints as unsolicited information if the agency holds itself out as the agency to contact as regards such complaints.

47 In applying the quoted text in [45] to the facts of this case, I am satisfied that the Respondent sought or ‘solicited’ code of conduct complaints by having a policy relating to how such complaints may be made, will be handled and providing details of to whom one can make such a complaint. Thus, any personal information contained in or related to such a complaint made on this basis will prima facie be solicited information.

48 However, even if I am wrong on this, in accordance with the Appeal Panel decision in ZR at [71] “once taken under the control of the agency for one of its administrative purposes” the personal information is taken as collected. That is, the moment the Respondent keeps, assesses, deals with and/or processes the Complaint (in this case) then, even if it is originally considered unsolicited personal information, it will then become personal information collected and held by the Respondent. As such (as is the case for all solicited personal information) it is then subject to all the IPPs as amended by the Privacy Code of Practice for Local Government published in the Government Gazette Number 179 on 20 December 2019 (LG Privacy Code).

42 I am satisfied that the Relevant Personal Information was included in the information sought or ‘solicited’ as part of the Respondent providing guidance on its website and in publicly available polices around how to make complaints, including privacy complaints, and generally the Applicant’s legislative right to seek an internal review by the Respondent and, ultimately, external review by the Tribunal under the PPIP Act. However, as noted EMF, even if the information was not solicited on this basis, once the information is taken under the control of the Respondent for its administrative purposes (e.g. to address the internal review request and, later, to participate in/defend the external review Decision proceedings before the Tribunal) the Respondent is taken to have collected the Relevant Personal Information.

  1. On the basis noted above in [61] above, I find that the Respondent provided the framework for inquiries to be made (and thus for personal information to be solicited) by inclusion on its website and intranet, available to employees such as the Applicant, of the contact details and means to contact the Respondent to make inquiries. That is, inquiries are solicited by the Respondent and the Applicant’s personal information in relation to Conduct of Concern 2 was thus collected by the Respondent.

  2. However, even if I am wrong in respect of my finding in [62] above, based on numerous Tribunal decisions, once the Applicant’s inquiry and related personal information was accepted, actioned and/or processed by the Respondent (e.g. see the Respondent’s email referred to in [6] above) then the Applicant’s personal information (i.e. the fact of the inquiry and the Inquiry Content) and the content of all subsequent emails relating to such inquiry was collected by the Respondent. In either case, the relevant personal information of the Applicant in relation to Conduct of Concern 2 was collected by the Respondent and IPP 3 applies.

  3. The provision of a collection/privacy statement under IPP 3 is ‘an important right’ that was recognised by the Appeal Panel in AOZ v Rail Corporation NSW [2014] NSWCATAP 76 at paragraph [70] as an obligation which should be fully complied with by agencies:

“the provision is one that requires of agencies a practice that clearly addresses the matters in paragraphs (a) to (f) to the extent applicable and relevant. This was … a routine aspect of this area of administration … there should, in our view, have been a standard notice in place to address the matters to which [the notification principle] refers”.

  1. The requirements of IPP 3/s 10 PPIP Act are uncontroversial: an agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual is notified of the matters specified in ss 10(a) to (f) PPIP Act. In this case, on collection of personal information from the Applicant (as per [62] or [63] above), either prior to the inquiry by including a collection statement on its website and/or intranet sites detailing contacts for inquiries (for example) or providing it at the time of responding to the Applicant’s inquiry, the Respondent must have taken reasonable steps to notify the Applicant of the matters specified in ss 10(a) to (f) PPIP Act.

  2. A collection statement also helps avoid differences of understanding between individuals making inquiries and providing personal information and the agency, which misunderstanding appears to have happened in this case (see CDV v Illawarra Shoalhaven Local Health District [2016] NSWCATAD 302).

  3. Based on [61] to [66] above I find that, on the evidence and materials before me, the Respondent failed to comply with IPP 3 in not taking reasonable steps to provide the Applicant with a collection statement/privacy notice or otherwise notifying the Applicant in accordance with IPP 3 either prior to or as soon as practicable after the collection of the Applicant’s personal information.

Was there a breach of IPP 11/s 18 PPIP Act in relation to Conduct of Concern 2?

  1. Based on my conclusion in [58] and the evidence and material before this Tribunal, I find that SESLHD was unlikely to have known, prior to Conduct of Concern 2, that the Applicant had made an inquiry to the Respondent or any of the contents of the emails relating to that inquiry. The provision of the Applicant’s personal information in relation to Conduct of Concern 2 to SESLHD was, as described by the Respondent, a ‘transfer for the first time’ (see [44(9) above) and is therefore a disclosure for the purposes of s 18 PIPP Act. Thus, unless the exception in s 18(1)(a) PPIP Act applies or the disclosure is exempted under s 27A PPIP Act, this disclosure by the Respondent will be in breach of IPP 11/s 18 PPIP Act.

  2. Based on the evidence and materials before me (in particular the evidence noted at [4] to [17] above) I find, in agreement with the Respondent submissions summarised in [45(2)] above, that the Respondent’s purpose for collection of the Applicant’s personal information in Conduct of Concern 2 was to respond to the Applicant’s inquiry as to whether or not there were any comments about the Applicant in the recruitment system/database including the Service Check Register (SCR) and, if so, who placed those comments in relation to the Applicant in the SCR (Purpose).

  3. The first of two requirements of the exception in s 18(1)(a) PPIP Act to excuse the disclosure of the Applicant’s personal information is that the disclosure is directly related to the purpose for which the information was collected by the disclosing agency (i.e. the Respondent in this case). Based on the evidence and material before the Tribunal, I find that the disclosure of the Applicant’s personal information by the Respondent to SESLHD in respect of Conduct of Concern 2 was directly related to the Purpose.

  4. The exemption under s 18(1)(a) PPIP Act, on which the Respondent relies to excuse its disclosure of the Applicant’s personal information in relation to Conduct of Concern 2, also requires that the Respondent (in this case) has ‘no reason to believe that the individual concerned would object to that disclosure’. Based on the evidence referred to in [9] above, that is the changing of the subject line of the email chain by the Applicant to refer to ‘Confidential PID’ and the contents of that email, I find that there was in fact reason for the Respondent to believe that the Applicant would object to the disclosure. The use of the word ‘confidential’ alone and/or PID (to which separate rules apply, including as to confidentiality), let alone the contents of that email, should have alerted the Respondent to the probability that the individual would object to the disclosure of their personal information contained in and relating to their inquiry and the chain of email correspondence related to such.

  5. Based on my findings and conclusions in [68] to [71] above, I find that the Respondent breached IPP 11/s 18 PPIP Act by disclosing the Applicant’s personal information in relation to Conduct of Concern 2 and such disclosure is not exempted by s 18(1)(a) PPIP Act as the Respondent did not establish that it had no reason to believe that the Applicant would object to the disclosure. Unless this disclosure is exempted under s 27A PPIP Act, the disclosure will be in breach of IPP 11/s 18 PPIP Act.

Is the disclosure of the Applicant’s personal information in Conduct of Concern 2 exempted under s 27A PPIP Act?

  1. The PPIP Act is beneficial legislation and thus the exemption in s 27A PPIP Act must be interpreted and applied narrowly as it is an exemption from the rights otherwise granted to individuals and obligations imposed on agencies under the PPIP Act and, in particular, under the IPPs.

  2. The exemption in s 27A PPIP Act requires, most relevantly in this case, that:

  1. the disclosing agency is providing personal information to another agency; and

  2. the disclosure is (a) reasonably necessary to enable (b) inquiries to be referred between the agencies concerned; and

  3. there is nothing preventing or otherwise superseding its application in the present case (i.e. does something other than the IPPs apply to limit the disclosure in question which is not subject to s 27A PPIP Act).

  1. In this case, based on the evidence and materials before the Tribunal, I am satisfied that the Respondent was providing personal information to another agency (i.e. SESLHD).

  1. The following analysis and conclusions of the Tribunal in DMW & DMX Land Services are instructive for applying s 27A PPIP Act to the circumstances of these proceedings as to whether the disclosure of the Applicant’s personal information relating to Conduct of Concern 2 is ‘reasonably necessary’:

71 Section 27A does not require that the provision of the Applicants’ information to the Council or the LMBC was ‘absolutely necessary’ or ‘indispensable’. Something less is required.

72 In this matter, DMW lodged an inquiry regarding land clearing with the LLS. The Respondent’s evidence is that land clearing is regulated by a complex statutory scheme involving multiple agencies and multiple pieces of legislation. DMW's inquiry was lodged shortly after that scheme had taken effect.

73 The LLS was not able to provide DMW with approval to undertake land clearing. However, Ms Busuttil took steps to assist DMW. She offered to contact the Council on his behalf to ask what DMW would need to do to obtain approval to clear vegetation as he proposed. She then contacted the Council, obtained information and reported this to DMW. She subsequently followed up with the Council and Ms Long also followed up with the Council and the LMBC. The Respondent submits that the disclosure of the Applicants’ personal information was "reasonably necessary" to enable DMW’s inquiry to be referred between the agencies concerned.

74 In my view, the location of the Applicants property was important information that would allow the Council and the LMBC to accurately determine what advice to give to the Applicants. If the Respondent had not provided the locality of the Applicants' property, accurate information could not have been given. However, as it provided the locality of the Applicants' property, accurate information could be given. This also would have allowed the Applicants’ personal information to be ascertained.

75 In my view, the provision of that information was not absolutely necessary or indispensable. However, I am satisfied that it was reasonably necessary for the agencies to have that information so as to be able to provide the information that DMW had requested.

  1. Based on the submissions and evidence before the Tribunal and the reasoning set out in [76] above, I am satisfied that the original inquiry email from the Applicant dated 11 June 2020 (see [5] above) which included the Employee Details and the nature of the inquiry (Original Inquiry Email) is, if all other elements referred to in [74] above are made out, reasonably necessary to be disclosed to SESLHD for the purposes of s 27A PPIP Act and any valid referral from the Respondent under it. However, I am not satisfied that the disclosure of the remaining Conduct of Concern 2 personal information of the Applicant (i.e. all other email correspondence between the Respondent and the Applicant) including any internal emails of the Respondent relating to the inquiry were not reasonably necessary to be disclosed for the purpose of s 27A PPIP Act, even if all other elements of s 27A PPIP Act (see [74] above) are made out.

  2. As only the disclosure of the personal information in the Original Inquiry Email is ‘reasonably necessary’ under s 27A PPIP Act, that is s 27A PPIP Act is not relevant to the other personal information of the Applicant, my analysis below of the remaining elements of s 27A PPIP Act (see [74] above) only addresses the personal information of the Applicant in the Original Inquiry Email.

  3. As to whether the Applicant’s inquiry in the Original Inquiry Email is of a type of the inquiries to be referred contemplated by s 27A(b)(ii) PPIP Act, one must look to the Respondent’s policy as regards referrals to other agencies (and/or Local Health Districts in particular), whether this inquiry meets the criteria under that policy to be referred and, if so, in the circumstances of this case, if the inquiry in question was actually referred to SESLHD. Unfortunately, the Respondent produced no evidence nor made any submissions on this point and did not refer to its policy as regards inter-agency referrals, it simply relied on the personal information being a reasonably necessary disclosure between the agencies to enliven the s 27A PPIP Act exemption.

  4. However the onus is on the party seeking to rely on an exemption to the IPPs, such as s 27A PPIP Act, to establish its application and make out all of the elements in order for that exemption to apply (see Insurance and Care NSW v EEH [2021] NSWCATAP 350 at [61]).

  5. I am satisfied that the Respondent has not made out that Conduct of Concern 2 was an inquiry of the type referred to a Local Health District as per its policy or that, even if it was, it was actually referred in accordance with the meaning of s 27A PPIP Act. On the evidence before the Tribunal (see [10] and [11] above) it appears that the disclosure of the personal information in the Original Inquiry Email may not have been actually referred (i.e. to pass on/send the inquiry to another agency for it to address/decide or handle) to SESLHD but rather a well‑intentioned attempt to assist the Respondent to respond to the Applicant’s inquiry. That is, relevant information was to be collected from SESLHD by the Respondent and then provided by the Respondent to the Applicant. Thus, not being a ‘referred’ inquiry (even if of a type of inquiries that may be referred by the Respondent in accordance with its referral policy or arrangements) as contemplated by s 27A(b)(ii) PPIP Act. Therefore, I find the s 27A PPIP Act exemption does not apply in this case.

  6. If I am wrong in my finding in [81], I am satisfied that there is evidence of the imposition of confidentiality obligations (if not the PID protections) to all of the personal information relating to Conduct of Concern 2 prior to its disclosure (see [9] and [71] above), which obligations of confidentiality are not affected by s 27A PPIP Act which is limited to non-compliance with the IPPs, if the specified elements are made out.

  7. In addition, the failure to expressly note the possibility of disclosures of one’s personal information for referring of inquiries to Local Health Districts (in this case) in an IPP3 collection statement provided to the Applicant, which is required in paragraph 7.3 of the NSW Health’s Privacy Management Plan (PMP), and the clear restrictions placed on disclosure of personal information by the Respondent in paragraph 7.11 of the PMP also limit the application of s 27A PPIP Act as between the Respondent and the Applicant in relation to the disclosure of the Applicant’s personal information in relation to Conduct of Concern 2.

Orders

  1. The Respondent failed to comply with s 10 PPIP Act/IPP 3 by not taking reasonable steps, either before or as soon as practicable after the collection of the Applicant’s personal information, to notify the Applicant of the matters in ss 10 (a) to (f) PPIP Act.

  2. The Respondent disclosed the Applicant’s personal information to SESLHD in a breach of s 18(1) PPIP Act/IPP 11 and neither the exception in s 18(1)(a) PPIP Act nor the exemption in s 27A PPIP Act are made out in relation to Conduct of Concern 2.

  3. The Applicant is to file and serve submissions as to remedy by 21 January 2022.

  4. The Respondent is to file and serve submissions as to remedy within 28 days after receipt of the Applicant’s submissions referred to in (3).

  5. The Applicant may file and serve submissions in reply to the Respondent’s submissions as to remedy within 14 days after receipt of those submissions referred to in (4).

  6. The matter is to be relisted for directions before Senior Member Christie as to remedies on 25 March 2022 at 10am.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 15 December 2021

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

3

FZZ v Department of Climate Change, Energy, the Environment and Water [2024] NSWCATAD 131
Webb v iCare NSW [2023] NSWCATAD 111
EEH v NSW Self Insurance Corporation [2022] NSWCATAD 361
Cases Cited

15

Statutory Material Cited

4

BVV v Commissioner of Police [2021] NSWCATAD 250
CDV v Illawarra Shoalhaven Local Health District [2016] NSWCATAD 302
CEU v University of Technology Sydney [2018] NSWCATAD 13